Business Passwords: best practice for you and your staff

Digital security is a constantly evolving field and the best-practice of last year is potentially leaving your business vulnerable today. Gone are the days of changing your password every month – it’s all about the user now. This gives us two topics to cover off: what advice should you give your staff for choosing their business passwords and what password security should your organisation use?

Advice for you staff

Creating strong passwords


Passwords should be at least 8 characters but preferably much longer. It can even be an entire phrase.

Easy to remember

As long as the password is long, it’s not as important to fill it with special characters and numbers. What is a problem is if they have to write it password down to remember it – this can be a serious risk to your business’ security.

Hard to guess

Avoid any common passwords – they can check on this list. Also avoid using things common to them, such as birthdays, pets’ names, catchphrases etc. It’s just as important to protect against attacks from people they know.

Best practice

Don’t reuse

As tempting as it may be, reusing passwords on different accounts leaves you much more vulnerable. Also don’t make them too similar – sharing one password should not allow somebody to guess the others.

Web-browsing health

Using good caution and common sense when browsing the internet and clicking links can go a long way to avoiding malware and having your accounts compromised.

No hints and post-its

Don’t leave password hints and never leave passwords written down anywhere!

What should your organisation do?

Two-factor authentication

What is it?

This uses a physical and registered device to access your account. You will therefore need something you have (a device) and something you know (password) to be able to access your data. There are a variety of setups but as an example, if you tried to sign into your work emails from a new computer, you would have to type in an extra code from your phone. By tying your account to a physical device, it means that a compromised password isn’t enough to breach your security.

Backup options

As your account is tied to a physical device it’s important to have a fall-back option in case you lose your device. This can be something as simple as assigning a secondary device to the account.

Who offers it?

A lot of tech companies, including Microsoft, offer this facility. If in doubt, get in touch with their customer service team to find out.

Managing multiple passwords

Password managers

These are controversial in the security world. On the one hand, they allow all of your accounts to have very long and complex passwords without having to remember them. On the other hand it creates one single point of failure for your security. There are additional steps you can take to get the best of both worlds however, depending on which service you use.

Microsoft’s solution

With Azure Active Directory, users can use their work account to sign in to a wide variety of applications and services, as well as their devices, using Single Sign On (SSO). Each of these apps can be controlled from an admin portal and Microsoft brings much more control and security functionality with its Enterprise Mobility + Security suite.

Prevent password theft


Malware – especially keyloggers – can capture your passwords, no matter how complex it is. Ensuring you have a high-quality antivirus on all your devices helps protect against this threat.

Beyond the password


Several companies such as Microsoft and Apple are starting to use biometrics to authenticate users, rather than passwords. Fingerprint scanners in phones are the most prevalent example of this but are already being superseded by infrared facial recognition such as Windows Hello. There is still a lot of debate around how secure these systems are yet, and with any new security technology comes the risk of new exploits, however the industry seems committed to making the user the key to account access and we expect the technology to keep on improving.

Continuous authentication

Traditional password protection works like keys to a house: once you’re in, you’re in. This means that any breach in security leaves you wide open to abuse without you even knowing it. Continuous authentication abandons this model and instead continuously monitors users, even after they’ve logged in. This means that even if somebody manages to break into your account, their activity will be seen as not matching your behaviour profile and additional security measures will be activated. It can also be used to analyse how users enter their login information, so just having a password won’t be enough to access an account. If you’d like to take advantage of user behaviour and machine learning now, Microsoft’s Advanced Threat Analytics is a great solution for intelligent monitoring.

Embrace mobile working without the risk

Introducing strong and manageable security to your organisation gives you more than peace of mind – it can also give your staff the freedom to work how they want. Whether it’s from the road, from home, with hotdesking – embrace the power of mobile working without having to worry about your company’s security.

How would your business change if your staff could work from anywhere?